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Speaker Background 



Jim Butterworth, CTTC USN (Ret.) 

(CFE/EnCE/GCIA/GSNA/GREM) 

Senior Director of Cyber Security, Guidance Software 



Certified: 

— Fraud Examiner (Spreadsheet Junkie) 

— Computer Forensic Examiner (Hex Junkie) 

— Intrusion Analyst (Packet Junkie) 

— Reverse Engineer (Code Junkie) 

— Systems and Network Auditor (Audit Junkie) 

— Superior Court Forensic Expert (Expert Witness Junkie) 

Experience: 

— Intrusion Analysis & Incident Response 

— Forensic Investigation and Testimony 

— Malware Analysis and Threat Attribution 

— Fraud Examinations and Best Practices 

— Have worked cases for just about every industry 

— Worldwide, both commercial and government 





Digital Perspective: 
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Threat actors are unifying to achieve mutual goals. 

Despite advances in technology, incidents are on the rise. 

A 0-Day is the called that for a reason. 

We are segmented into providers or obstructionists; perhaps those 
that giveth, and those that taketh away... 

My observation from years of responding: 
#1 - The new (but not) "I33t" is Social engineering your Userland 
#2 - Passwords (Really, are we STILL talking about this?) 
#3 - Why do old attack vectors from years ago continue to work? 
#4 - How "Social Network" active are your users? Is that a threat? 

Our cyber world in pictures say a thousand words... 




Cloud Computing and Host 
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Information is being sought for 
"Justice, Transparency, and Freedom 
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WikiLeaks 
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Train 



Fight, 
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When attacked; will you fight through, rebuild, wipe, pull the plug...? 

Sun Tzu: 

"If you know your enemies and know yourself, you can win 
one hundred battles without a single loss." 

"If you know neither yourself nor your enemy, you will always 
endanger yourself." 

Therefore one hundred victories in one hundred battles is not 
the most skillful. Seizing the enemy without fighting is the 
most skillful. " 
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Data is the lifeblood of a company 



Business 
Intelligence 
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Risk 
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The advertised price of data breache 



i$204 Per Consumer Record (Average) 
i$600 Billion IP Theft a Year Globally 



No Industry is Immune 



9% 



Breakdown of reported 
incidents by industry. 
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Layered Security & Defenses 



On a normal day, Fortune 1000 companies get 500,000 probes 
How effective is your security? 99.9%? 



99% 



5000 probes through? 



99.9% 500 probes through? 
99.99% 50 probes through? 
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Effectiveness (survey of CISO's) 
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Layered Security & Defenses 
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Over $16B spent annually on security. 



Commercial botnets as profit engines: Mariposa 

Controlled 12.7m PCs, including more than 500 of the Fortune 
1000, more than 40 major banks 



Advanced persistent threats (APT) target business assets: 
Operation Aurora, Night Dragon... 



Affected Google, Adobe, Intel, Oil/Gas... 

Multi-phase (persistent and long-term) to 
penetrate deep into enterprise 







The CISO Must Be Ready for Anything 



"The CISO's job has mostly been about 

governance, risk, compliance, and some operational aspects. It was 
sometimes associated with incident response. Now it's becoming more 
[associated] with incident response and will be into the future." 



w 



--Gary Terrell, CISO, Adobe, and 

Bay Area CSO council, as quoted 

in CIO.com after Operation Aurora 



"As western companies take a hard look at their security 
postures, forensics may become key to survival, say analysts." 

- Robert McMillan, CIO Magazine, 3/17/2010, 
"Forensics Tools Help Companies 
Investigate Intrusions Remotely" 




DOD repurposed IT equipment without scrubbing 
sensitive info, audit reveals 

Inspector General finds inadequate controls for getting rid of used IT 
equipment 

By Amber Corrin 

Sep 23, 2009 

Some Defense Department organizations haven! scrubbed data from 
information technology equipment before disposing of the hardware, 
resulting in the possible release of information that could be used for identity 
theft, or releasing other sensitive DOD information, according to an Inspector 
General audit. 



There is no shortage either... 
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$25,000 for Missing State Department Laptop 

The FBI Puts Out $25,000 Reward for Missing State Dept. Computer 
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The Dnut) Enforcement Administration's Control Over Weapons and Laptop Computers Follow-Up Audit 
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Classified data on presidents 
helicopter leaked via P2P 

urnar Vijayan, Corn 
2 Mar., 2009 
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Breach Analysis 

Fraud investigations 

Malware Purpose(s) 

Risk and Exposure 

Cyber Damage Assessment 

Etc... 



Risk assessment 
Targeted search 

Routine Audits 



The IP Theft Cycle 



How it works & how they get caught: 



Remove 




Copy 



Store 



Intelligence 
Already Aware 
Searching for it 
Fraud Investigation 



How they get caught finding it... 



Receiving Intelligence 
VOIP messages 
Email & IM Chat logs 
Recent documents (txt/doc) 
Yellow sticky notes on desk/notepads 

Already Aware 

Check folder & file permissions 
Perform Link File Analysis 
Check User Group Memberships 



Searching via Explorer 

lndex.dat 

— Shows Explorer mapping 

Event logs 

— Shows Privilege Escalation 

— Using System Account as Proxy 

— Directory Traversal 

The "Browsers" and the "No Need to Know" 



Copying it... 



Simple Drag & Drop 
Cut & Paste 
New file, Paste 



May already exist on their computer 
Check File Created of File system 
Check File Metadata 
Check File Times 

Evidence of Drag & Drop 

• Check File Attributes 

Restore Point Analysis 
— Only on Windows XP/2000 and above 
—This must be enabled by Administrators (not always available)! 

Check The Virtual Memory (pagefile.sys) 



How they get caught copying it... 



New File/Paste contents 
Keyword Search 

• Timeline Analysis (File created times) 
Link File Analysis 

Evidence of "Save As" 

• Hash remains the same? (Maybe) 

File creation time 

—Compare the new file time to last accessed time of 
original document 

Fussy Hashing and Entropy Analysis 



Archiving methods 
Encryption 
Obfuscation 
Removable media 



How they get caught storing it... 



Using compression utilities 

Check for compressed files (zip/rar/gzip/etc) 
Check for existence of Programs (Winzip/WinRAR) 

Investigative Challenges 

Link File Analysis is inconclusive 
Compression utility maps directly to files 

► Windows Compression tool 

— Browse to files 

— "Add to Archive" 

— Files moved to temp location in memory for compression 

— Virtual Memory 



Encryption 

Encrypts the contents of the file 
Metadata may contain "File is Encrypted Flag" 
• EFS/PGP (existence of Programs) 

Alternate Data Streams 

Ex:"MyFile.txt:SecretFile.txt" 

—Shows up as MyFile.txt only 

—Can be used to hide massive amounts of data 

—Can be used to hide and launch malware 
Usually invisible to AV and auditing software 

Requires Forensic analysis 



How they get caught storing it... 



Using File Editing utilities 

XORing 
— Runs every bit in the file against a zero 

Renders file unusable on the system 
Completely unrecognizable 
Investigative Challenges 
Not keyword searchable 
File has no headers 

Unrecognizable file format with arbitrary extension 
May bypass stateful packet inspection 



Hex Editing 

Bury files within files 
— Cheap Steganography 

Check for keywords 

Conduct file signature analysis (file headers) 

Steganography 

Interlaces a data stream (file) within a data stream (file) 

Very hard to determine 

Finding steganography programs are the start. 



Removing it... 



Removable media 

email 

File Transfer 

Remote Desktop 

File upload 

P2P 

Social Networking 



Removable Media 

Existence of mounted devices in registry (serial #) 
Parse link files looking for mapping to unknown volumes 
Within registry, mounted devices map to logical drive 
Look for cross correlation of drives across systems 

email 

IP Thieves rarely use company accounts 

Webmail 

— "compose.htm" 

— "getmsg.htm" 

Review your webmail and remote service policies. 



How they get caught removing it... 
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Evidence of File Transfer 
> FTP Service started (event logs) 
Look for file transfer programs (CuteFTP/TinyFTP, etc) 
Parse web traffic logs looking for FTP connections 
Check IIS Server logs looking for names of files 

Evidence of Remote Desktop 

Programs installed 

— PC Anywhere 

— GotoMyPC 
-WinVNC 

— LogMeln 





Evidence of CD/DVD Burning 

• Burning session becomes a job 

— Program takes files and moves to a temp location 

— After Burning; files are deleted (Look for artifacts) 

Look in App Event log for program start up 
Look at CD job log - concentrate on filenames 

Evidence of Web Upload 

lndex.dat analysis of site visited 

URLs visited 

Dropbox, P2P, Torrents, and using webmail as storage. 



Insider Detection 



Insider Indications 

Test scripts and/or techniques 

Try a multitude of tools (Port scanners, network probes, 
war driving) 

Rogue Systems 

Bogus Accounts 

Odd hour activity 

Undue Curiosity 

Hiding screen data 

Positions screen to hinder view 



Insider Indications (continued) 

Joking and Bragging 

> Installs unauthorized software 

— Duty associated software 

Dreamweaver, Nero, Photoshop, programming software 

— Unassociated harmless software 

WinAmp, ICQ, Games 

— Suspicious Software 

LOphtCrack, Key Generators, rootkits 

Escalated privileges 
No fear of getting caught 




Insider Detection 



When indicators arise, review for: 
Unusual processes 
TCP/UDP connections 
Web site activity (local/proxy) 
Unauthorized sites 

Remote aCCeSS Sites (MobileMe, logmein, PCAnywhere, WebEx, etc) 

Use of anonymity sites or installation of >»TOR<« 




Accounts and their rights 



Unauthorized devices 






Cyber RAT Holes 
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How many licks to get to the inside...? 

• ...3(SYN;SYN-ACK;ACK)??? 




How about 1 ? 

SMTP is connectionless 



/ 



RAT holes 

Firewalls (easier to get out; than in) 

Perimeter subterfuge (Create a loud ruse to conceal true intent) 



Combating the Insider Threat 



Be Proactive! 

Review scans for unauthorized software and compile 
trends. 

Scan for bogus account and report anomalies. 

Monitor help desk tickets for trends. 

— Insiders do call for help when their attempts 
to circumvent security measures mess things up 

Monitor for unusual logon times 

Monitor for unauthorized file and folder access 




Some questions to ask: 

How do we know? 
What can we do? 
Where did it go? 
What actions can we take? 
How sensitive was the data? 
What is the impact? 



Tagging your data... 



XYZ Inc. tries to hide data by removing "ABC Inc." from any 
documents and removes any corporate logos belonging to ABC Inc. 



But ABC Inc. was ready for that. 



XYZ Inc. 




Sealed 



ABC Inc. injected a specific keyword "tag" into every electronic file 
ever created in the company. 



To include all template documents! 



ABC Inc. hired a computer forensic 
& eDiscovery company to find 
any documents with the "tag" 
anywhere on XYZ's network. 



Documents Properties 



| General | Summary | statistics || Contents || Custom | 








litle: 

Subject: 

Author: 

Manager; 

Company; 

Category; 
Keywords; 












Cary, Moore 








GSI 
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Comments; 












Hyperlink 






Template; Normal, dot 
1 I Save preview picture 





Cancel 



Tagging your data... 
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The search revealed 3 files on XYZ's network very similar to the 
compromised files, but the company 
names and logos were changed to 



XYZ Inc. 



Documents Properties 



By tagging the "Keywords" field in 
Word Documents, it will be present 
even if the user changes the document 
text. 



The likeliness of G$1-S0FTW@R3 
happening by accident is VERY low. 



General | Summary | Statistics || Contents || Custom | 



litle: 

Subject: 

Author: 

Manager; 

Company; 

Category; 
Keywords; 
Comments; 



Hyperlink 
base: 



Cary, Moore 



Template: Normal, dot 
I I Save preview picture 



Any document created by a 
document template (.dot) wil 
also have the "tag" in the 
"Keywords" field! 



Documents Properties 



| General | Summary | statistics || Contents || Custom | 








litle: 

Subject: 

Author: 

Manager; 

Company; 

Category; 
Keywords; 












Cary, Moore 








GSI 
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Comments; 












Hyperlink 






Template; Normal, dot 
1 I Save preview picture 





Cancel 




QUESTIONS? 



Jim Butterworth, CFE EnCE 
Sr. Director, Cyber Security 
Guidance Software, Inc 
jim.butterworth@encase.com 
(626)381-8574 



